Supplement to Audit Report No. 03-013,
FDIC Procurement Credit Card Program, dated January 31, 2003


April 24, 2003

** This supplement is not an audit report. Audit Report No. 03-013 is located after this supplement. **

This supplement contains copies of correspondence between the Office of Inspector General (OIG) and the Division of Administration (DOA) subsequent to the issuance of Audit Report No. 03-013, dated January 31, 2003. The intent of this supplement is to show progress made on the resolution of matters that were unresolved at the time the OIG issued the final report.


TABLE OF CONTENTS

I. OIG Assessment of Management Response to the Final Report

Memorandum dated March 28, 2003, from the Assistant Inspector General for Audits to the Director, Division of Administration

II. Management Response to the Final Report

Memorandum dated February 28, 2003, from the Director, Division of Administration, to the Assistant Inspector General for Audits


 

I. OIG Assessment of Management Response to the Final Report

 


FDIC
Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: March 28, 2003

MEMORANDUM TO: Arleas Upton Kea, Director, Division of Administration

FROM: Russell A. Rau [Electronically produced version; original signed by Russell A. Rau], Assistant Inspector General for Audits

SUBJECT: Assessment of DOA Response to Final Report Entitled FDIC Procurement Credit Card Program (Audit Report No. 03-013)

We have reviewed your February 28, 2003 memorandum replying to our request for the Division of Administration (DOA) management to reconsider its response to unresolved recommendations 2 and 3 contained in the subject audit report. We agree with your position that corrective action is best directed towards the FDICís general policies and practices governing food and beverage expenditures in the conduct of official business, and we appreciate DOAís reconsideration of our recommendations.

Based on your memorandum and a copy of your action plan entitled Revision/Clarification of FDIC Policy on the Use of Corporate Funds for Food and Alcohol, we consider the two outstanding recommendations in the subject report to be resolved. Our analysis of DOAís response to the two recommendations is set forth below after the pertinent recommendations:

  1. Define extravagant meals and refreshments and what constitutes an allowable and unallowable expense for meal purchases using the procurement credit card.

  2. Prohibit the purchase of alcoholic beverages using the procurement credit card.

OIG Analysis: These two recommendations relate to our findings that procurement credit cards were used for meals and refreshments that could be considered "extravagant" and where the business purpose was questionable based on existing FDIC policy. Also, charges included alcoholic beverages, which is an expense for which the FDIC does not reimburse employees under its general travel policies. DOA stated in its latest response that DOA will lead a cross-organizational team to review existing corporate policy and practice related to the purchase of food and alcoholic beverages in the conduct of official business. The review will be conducted by March 31, 2003 and DOA believes that it will result in new corporate-wide policies and procedures, appropriate definitions, rules for use, and approval levels for these two types of expenditures. DOA will forward the revised policies and procedures to the OIG for review by April 15, 2003. The OIG will review the revised policies and procedures upon completion and will determine whether changes to the policies and procedures fully address our concerns. At this time, the recommendations are resolved; however, they will remain undispositioned and open until we have determined that planned corrective actions have been completed and are effective.

No further response is required from DOA management. We will continue to monitor implementation of these actions. If you have any questions concerning the report, please contact me at (202) 416-2543 or Sharon M. Smith at (202) 416-2430. We appreciate the courtesies extended to the audit staff.

cc: Vijay G. Deshpande, DIRM
David McDermott, DOA
Andrew Nickle, DOA
Mike MacDermott, OICM
Corrine Watts, OICM


 

II. Management Response to the Final Report

 


Federal Deposit Insurance
Federal Deposit Insurance Corporation

550 17th St. NW Washington DC, 20429
Division of Administration

February 28, 2003

TO: Russell A. Rau, Assistant Inspector General for Audits

FROM: Arleas Upton Kea [Electronically produced version; original signed by Arleas Upton Kea], Director

SUBJECT: Final Report Entitled FDIC Procurement Credit Card Program

This responds to your memorandum dated January 31, 2003 which provided the final audit report for the Procurement Credit Card Program and requested further management comments regarding our nonconcurrence with recommendations 2 and 3. These recommendations requested DOA take action to define extravagant meals and refreshments as allowable or unallowable expenses for payment under the procurement card program and, further, that DOA prohibit the purchase of alcoholic beverages with the credit cards.

As stated in our January 24, 2003 management decision, we believe that the Acquisition Policy Manualís policies and procedures sufficiently address the purchase of meals and refreshments and that controls are in place to minimize potential risks to the Corporation. As was discussed at the recent Audit Committee meeting, we appreciate your understanding that these recommendations should not be directed at the Procurement Card Program, but rather towards FDICís general policy and practice governing food and beverage expenditures in the conduct of official business.

To resolve the outstanding audit recommendations related to these questioned expenditures, DOA agrees to lead a cross-organizational team to review existing corporate policy and practice related to the purchase of food and alcoholic beverages in the conduct of official business. The review is to be concluded by March 31, 2003 and we believe it will result in new corporate-wide policies and procedures, appropriate definitions, rules for use, and approval levels for these two types of expenditures. The policies and procedures will be forwarded for management and OIG review by April 15, 2003.

If you have any questions on this response, please contact David McDermott, Agency Program Coordinator for the Procurement Credit Card Program, on x23434.

FDIC Procurement Credit Card Program
FDIC OIG Audit Report Banner


FDIC Procurement Credit Card Program

January 31, 2003
Audit Report No. 03-013

FDIC
Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: January 31, 2003

TO: Arleas Upton Kea, Director, Division of Administration; and Fred S. Selby, Director, Division of Finance

FROM: Russell A. Rau [Electronically produced version; original signed by Sharon M. Smith], Assistant Inspector General for Audits

SUBJECT: FDIC Procurement Credit Card Program (Audit Report No. 03-013)

The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has completed an audit of the FDICís procurement credit card program. In May 2000, we issued another audit report regarding the FDICís procurement credit card program. (Note: FDIC OIG Audit Report No. 00-015, Audit of the Corporationís Procurement and Travel Card Programs, dated May 24, 2000.) Our May 2000 report focused on an evaluation of established policies and procedures and administrative compliance reviews performed by the FDICís Division of Administration (DOA). DOA performed the reviews of procurement credit card transactions to ensure compliance with the policies and procedures. The audit showed that the FDIC adequately implemented those control activities, and employees properly utilized the cards. In September 2001, we received a request from Senator Charles E. Grassley, Ranking Minority Member, U.S. Senate Committee on Finance, regarding the FDICís use of government charge cards. We undertook two additional audits in response, one related to the FDICís travel card program and the subject review related to the Corporationís procurement credit card program. (Note: FDIC OIG Audit Report No. 02-030, FDIC Travel Card Program, dated August 30, 2002.) The objective of our current audit was to determine whether the FDIC had implemented effective internal control over its procurement credit card program to reduce the risk of improper procurement credit card usage. (Note: The five standards for internal control in the federal government as prescribed by the U.S. General Accounting Office (GAO) in Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999) are: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communications, and (5) monitoring. These standards provide a general framework. In implementing these standards, management is responsible for developing the detailed policies, procedures, and practices to fit their agencyís operations and to ensure that they are built into and an integral part of operations.) Appendix I provides details of our scope and methodology.

BACKGROUND

In an effort to streamline the procurement process for low dollar goods and services, the General Services Administration (GSA) initiated the Government-Wide Credit Card Program. The Government-Wide Credit Card Program allows appropriately authorized federal employees to make official government purchases using a procurement credit card. The program was designed to reduce the administrative timeframes and costs generally associated with low dollar value procurements.

The GSA awarded contracts to various banks to provide the procurement credit card services for federal agencies. Each participating agency was permitted to select a bank to provide its credit card services. The FDIC elected to participate in the credit card program and selected the Bank of America. Each month the Bank of America provides the FDIC with a billing statement reflecting all procurement credit card purchases.

In order to provide guidelines for conducting its credit card program, the FDIC developed the FDIC Acquisition Policy Manual (APM), Section 9.E., entitled FDIC Procurement Credit Card Program. The policy describes control activities, the roles and responsibilities of individuals and the FDIC offices that conduct the program, guidelines for credit card usage, purchase limits, and administrative procedures such as how to request a card. Key roles within the FDICís procurement credit card program include the Agency Program Coordinator (APC) within DOA, Approving Officials (AO), Cardholders, and Accounting Contacts. The APC serves as the liaison to the Bank of America, and GSA and is responsible for oversight and administration of the FDIC program nationwide. Also, the APC develops program policies, provides clarification and guidance to program participants, and is responsible for reporting program activities to FDIC executive management.

AOs are representatives of an FDIC division or office who are responsible for reviewing and approving all charges incurred by cardholders. According to the APM, AOs are responsible for periodically reviewing purchase receipts in conjunction with the approval of the monthly statements; verifying proper documentation; assisting with the resolution of disputed items, when necessary; and ensuring compliance with the FDIC billing officeís requirements for statement verification and approval and cardholders exceeding established monthly procurement limits. The APM requires AOs to ensure that the cardholder maintains complete records of all credit card charges, including the original monthly billing statement, charge slips, and original receipts. In addition, the APM requires AOs to review purchase receipts to ensure that cardholders do not split purchases to circumvent their single purchase limit and the combined charges of cardholders do not exceed established monthly procurement limits.

The APM also provides guidelines for cardholders. AOs designate cardholders and the APC approves the designation. Cardholders make purchases for their respective FDIC office or division and are responsible for:

  • maintaining physical security of their card and safeguarding the credit card account number;
  • ensuring that the card is used solely for official FDIC business, in accordance with FDIC policy;
  • obtaining fair and reasonable prices for all purchases and ensuring that the prices do not include sales taxes;
  • maintaining sufficient documentation and descriptions to justify card charges; and
  • verifying the accuracy of the charges reflected on their monthly billing statements from the Bank of America.

Another function involved in the FDICís procurement credit card program is the Accounting Contact. AOs designate an Accounting Contact for their FDIC division or office. The Accounting Contact assists with the payment process by reconciling the cardholderís record of purchases to the monthly cardholder statement of credit card charges from the Bank of America and preparing an Excel spreadsheet. The spreadsheet contains all the purchasing information during the billing cycle, and the Accounting Contact provides this information to the FDIC Division of Administrationís Acquisition and Corporate Services Branch, Acquisition Section. The Acquisition Section prepares a Purchase Authorization Voucher and forwards this voucher to the Division of Finance for final payment to the Bank of America for items or services procured.

The FDICís APM also establishes procurement thresholds. The maximum single purchase limit for any cardholder is $5,000 unless approved by the APC. In addition, according to the APM, the monthly procurement limit for a cardholder is $50,000 unless a higher amount is approved by the APC. However, in practice, many cardholders have thresholds of $2,500 for a single purchase and $25,000 monthly. As the procurement credit card program has evolved, the APC has approved higher thresholds for certain cardholders. These thresholds range from $25,000 for single and $150,000 for monthly purchases to $250,000 for single and $1,000,000 for monthly purchases. (Note: Only one FDIC employee, the Chief, Administration Contracting Group, has a threshold of $250,000 for single and $1,000,000 for monthly purchases.)

In addition to the above guidelines, the APM describes the types of purchases that are acceptable and those that are prohibited. Some examples of acceptable purchases include: building repairs, equipment purchases, external training courses, membership fees and association dues, advertising, carpet repair, and non-monetary awards. Some examples of prohibited purchases include official travel expenses, rental or lease of buildings, telecommunications services, artwork, and computer software/hardware warranties. Additionally, only cardholders in the FDIC Division of Information Resources Management (DIRM) are authorized to procure information resources management goods and services.

The FDICís procurement credit card program has over 500 cardholders. For the 2-year period beginning January 1, 2000, purchases made as part of the procurement card program totaled approximately $15 million. Given this level of usage, the Corporation uses internal control procedures to ensure proper procurement credit card usage and assist in preventing and detecting fraud, abuse, and errors. For example, it has established controls for spending thresholds and responsibilities of all parties involved in the program.

Toward the end of our audit fieldwork, the Presidentís Council on Integrity and Efficiency, composed of presidentially appointed Inspectors General (IG), and the Executive Council on Integrity and Efficiency, mainly composed of the IGs who are appointed by agency heads, issued A Practical Guide for Reviewing Government Purchase Card Programs. This guide also incorporates the GAO Control Standards, and we used it as a reference in conducting our review.

RESULTS OF AUDIT

Internal control over the Corporationís procurement credit card program was not fully effective. In line with the GAOís standards for internal control, the FDIC took action to foster an environment for proper use of procurement cards by establishing and communicating formal policies, procedures, and approval processes to reduce the risk of improper use of the card. However, we determined that FDIC employees were not always fully complying with established policies, procedures, and control activities, and in some cases the policies and procedures needed reinforcement, modification, or clarification. It is important to note that individual deficiencies were not material; however, collectively, they represent systemic weaknesses that increase the risk of misuse. For example, in some cases procurement credit cards and numbers were not properly safeguarded, employees were able to circumvent purchase limits, some purchases lacked supporting documentation, and employees at times incurred sales taxes although the APM specifically prohibits paying these charges. Also, in the absence of clear policies and procedures, extravagant meals and alcoholic beverages were purchased with procurement credit cards, as well as other purchases that may not qualify as "official business." (Note: It should be noted that no regulatory or contractual prohibitions are in effect for the FDIC with respect to the purchase of alcoholic beverages.)

The FDIC could strengthen its procedures for monitoring and overseeing the effectiveness of the procurement card program. The FDIC does not have effective procedures for canceling the cards for employees departing the FDIC, and in several cases, former employees continued to have credit card privileges even after their departure from the Corporation. In addition, the FDIC did not perform analyses on a regular basis to determine whether cardholders are using the procurement credit card and have a business need for the card. Some employees in our sample were issued cards but rarely used them, increasing the risk of misuse or undetected loss of the procurement credit card. Finally, procurement cardholders had spending limits that exceeded their normal purchase activity, and limits were not reviewed to ensure they reflected the extent of spending that users were likely to incur. As a result, the FDIC procurement credit card program is more vulnerable to fraud and misuse.

The Corporation has not conducted a formal risk analysis to identify specific types of vulnerabilities and steps to address them, such as training, revisions to policy, and other means of communicating information on the proper use of the card. The risk analysis is another suggested component of GAOís standards for internal control.

COMPLIANCE WITH EXISTING FDIC POLICIES

FDIC employees responsible for conducting procurement credit card functions did not consistently safeguard the cards or comply with other existing FDIC policies and procedures. For example, cardholders

  • allowed other FDIC employees to use their card to purchase goods and services for the Corporation,
  • circumvented charge card limits by splitting purchases,
  • did not retain required documentation,
  • purchased items that should have only been purchased by employees of authorized divisions, and
  • paid sales taxes although prohibited.

The GAOís Internal Control Management and Evaluation Tool recommends control activities such as training to help employees understand their roles and responsibilities. However, the FDIC had not established an ongoing training program for employees involved in the Corporationís procurement credit card program. Non-compliance can result in credit card abuses or losses to the FDIC.

Procurement Credit Cards Not Properly Safeguarded

Procurement cardholders allowed other employees who were not authorized to purchase goods or services for the FDIC. FDIC APM 9.E.4.c (2) states that cardholders are designated by the AO and approved by the APC to make purchases for their respective division location accounts through the use of their procurement credit cards. These cardholders are responsible for the physical security of their card and for safeguarding the credit card account number. We identified four cardholders working in DIRM who allowed other DIRM employees to purchase goods and services for the FDIC using the cardholderís procurement credit card. One of the four DIRM employees who had a procurement credit card issued to him, with thresholds of $5,000 per transaction and $50,000 monthly, allowed several other DIRM employees to charge goods and services on the card. The procurement cardholder provided the credit card number to these individuals to use in making purchases. When these individuals made purchases, the transactions would be recorded on the monthly bill of the cardholder. The cardholder would then request receipts from the employees who were making the purchases. Once the cardholder received the receipts, the cardholder would review the charges and forward the bill and receipts to the approving official who later approved all the charges.

The DIRM cardholders stated that it was a business decision to limit the number of physical procurement credit cards issued in DIRM so that only higher ranking employees received a card to purchase goods or services. However, the cardholders provided subordinates with the card number and permitted them to make purchases. It should be noted that the DIRM employees making the purchases were doing so as a standard part of their work requirements. However, by allowing multiple employees to use the procurement card and exposing the account number, the FDIC employees increased the risk of an individual accessing the credit card privileges and improperly purchasing items. The Agency Program Coordinator, Acquisition Services Branch, DOA, needs to ensure that all procurement credit card holders are aware of not allowing other FDIC employees to use their procurement credit cards. In addition, cardholders need to be aware of the importance of maintaining security of the credit card itself and the credit card number.

During our audit, we notified DOA of this matter, and DOA initiated three actions. First, DOA authorized additional procurement credit cards for the DIRM employees who were responsible for making purchases. This facilitated tracking and accounting for the credit cards and card activity. Second, DOA issued a notice to procurement credit card program participants, reinforcing the Corporationís policy on the authorized use of the procurement credit card and reminding cardholders of the critical importance of adhering to the policy. Third, DOA cancelled the credit card privileges for the DIRM employee whose credit card number was widely distributed to other employees.

Non-Compliance with FDIC Procurement Credit Card Policies

We noted multiple instances of non-compliance with procurement credit card policies. The FDICís APM prohibits activities such as splitting purchases to circumvent spending limits, requires rotating sources to preclude repeated acquisitions from the same vendor, and requires responsible employees to maintain documentation to support their purchases. In addition, the policy restricts the purchase of certain items such as books, office supplies, and information resources management goods and services to only cardholders in designated FDIC divisions and states that procurement credit card charges are not subject to sales taxes.

Twenty-five of 30 cases (84 percent) in our audit sample involved at least one instance where an employee did not comply with established requirements. In 7 of the 30 cases, there were 3 or more instances of non-compliance. Among these, there were instances of splitting purchases that circumvented procurement credit card spending limits. Split purchases can also limit competition for procurements. Not adhering to the Corporationís guidelines increases the risk of improper procurement card usage, paying excessive prices, erroneous payments, or fraudulent purchases.

Table 1 shows the types of non-compliance and the number of cardholders for each type. (Note: Some cardholders had multiple instances of non-compliance.

Table 1: Instances of Non-Compliance

Type of Non-Compliance

Number of Cardholders

Potential Risks

No Supporting Receipts/ Charges Not Properly Documented

10

Unauthorized purchases

Paid Sales Taxes

10

Excessive costs

Unresolved disputed amounts

2

Excessive costs

Use of Card or Card Number by Employees Other Than Cardholder

6

Unauthorized purchases

Split Purchases/Multiple Purchases from Same Vendor

2

Excessive costs due to lack of competition

Inappropriately Purchased Restricted Equipment

1

Excessive costs/ Unauthorized purchases

Various Other Types of Non-Compliance (example-exceeding non-monetary award limits)

8

Excessive costs/ Unauthorized purchases

Source: OIG analysis of cardholder records.

The Corporation does not have an ongoing training program for all procurement cardholders, approving officials, and accounting contacts. Rather, management stated that in the past, training has been provided to cardholders on an inconsistent basis. Specifically, in 1996 and 1997 mandatory briefings were held for program participants. In addition, in 2001, briefings were held for cardholders with increased thresholds. However, this training has not been provided on a regular basis to all cardholders nor have the policies been reiterated to cardholders periodically. Periodic training is a control activity that provides a level of assurance that employees understand their responsibilities, particularly those regarding procurement card usage.

In order to ensure that agencies implement adequate systems of internal control over their programs, the U.S. General Accounting Office issued Standards for Internal Control in the Federal Government (Control Standards). Those standards provide a basic framework for agencies to assess the risks they face and to determine internal control activities necessary to mitigate those risks. Internal control activities may vary from agency to agency depending upon such factors as risk. However, the GAOís Internal Control Management Evaluation Tool (GAO-01-1008G, August 2001), which is based on the Control Standards, recognizes that the effective management of an organizationís workforce, its human capital, is a common internal control activity. Specifically, according to GAO, management should provide employees with the necessary orientation and training to perform their duties and responsibilities and meet the demands of changing organizational needs. As noted in Table 1, the high incidence rate of non-compliance with FDIC procurement credit card policies increases significantly the risk to the Corporation of unauthorized purchases and excessive costs, including those caused by a lack of price competition.

Recommendation

We recommend that the Director, DOA:

  1. Provide periodic training to procurement cardholders and approving officials in order to reiterate the policies and procedures governing the procurement credit card program. The policies over roles and responsibilities; security over the card; procurement thresholds; permissible, prohibited, and restricted use; supporting documentation requirements; repeated acquisitions from the same vendor (split purchases); refreshment/meal requirements; payment of sales taxes; and procedures for card usage should be reinforced.

PROCUREMENT CREDIT CARD USED FOR "EXTRAVAGANT MEALS" AND QUESTIONABLE BUSINESS PURPOSE

In a very limited number of cases, procurement credit cards were used for meals and refreshments that could be considered "extravagant" and where the business purpose was questionable based on existing FDIC policy. Also, in one case the approving official for a cardholder was a subordinate. While limited, each of these instances evidences the lack of clear FDIC policy guidance on aspects of the procurement credit card program that can result in increased costs to the FDIC.

Although the FDICís APM prohibits purchases of extravagant meals, it does not define the term "extravagant." For comparative purposes to judge the extravagance, we used the FDICís policies for reimbursing meals of employees while in a travel status. The FDIC reimburses employees $22 per day for dinner and $11 per day for lunch expenses for the geographic locations we reviewed. For analytical purposes, we considered expenditures that were double the travel reimbursement rates or greater to be extravagant, i.e., $44 or more for dinner and $22 or more for lunch. In instances noted, the employees charged meals that exceeded our baseline by as much as 3 times that amount. These charges also included alcoholic beverages, which is an expense that the FDIC does not reimburse employees for under its general travel policies. (Note: FDICís General Travel Regulations, Travel Regulations Overview, Nonreimbursable Expenses.) Table 2 provides a comparison of the cost of the meals versus our baseline amount for analytical purposes.

Table 2: Analysis of Meal Costs

OCCASION TOTAL PRICE NUMBER OF EMPLOYEES PRICE PER PERSON OIG BASELINE (2 TIMES PER DIEM RATE)
1 Ė Conference Dinner

$3,886

76

$51

$44

2 Ė Conference Dinner

$2,238

17

$132

$44

3 Ė Lunch

$119

3

$40

$22

Source: OIG analysis of cardholder records.

Example 1 reflects the cost of dinner and drinks, including alcoholic beverages, for a meal associated with an FDIC conference. In example 2, although drinks were included in the price, we were unable to determine whether alcohol was purchased based on review of the bill which did not further break down the charges. Example 3 in the above table represents a purchase at a Washington, D.C. restaurant where the cardholder used his procurement credit card to buy lunches for a total of three FDIC employees. The cardholder intended the purchase as an appreciation or farewell gesture for one of the attendees. The bill included charges for alcoholic beverages. In addition to the cost of the lunch being almost twice the reimbursable lunch per diem rate for Washington, D.C. of only $22, we question the business purpose of the lunch. Existing FDIC policy is unclear on whether this is an official FDIC business expense. Rather than the Corporation paying for meals of employees leaving the FDIC, this type of more personal expense could be paid for by the attendees of the farewell lunch.

The FDICís APM states that the procurement cards can be used for refreshments and meals as long as the purchase is non-extravagant and used during the ordinary course of official FDIC business conferences, meetings, luncheons, dinners, or other functions. However, the manual does not further define "official FDIC business." The examples stated above appear to be extravagant in nature when reviewing the cost per person and comparing the amount to the reimbursable per diem rate for an employee on official travel. In addition, the Corporation should only pay for charges that are business-related and benefit the Corporation. For example, credit card charges to celebrate birthdays, retirements, holidays or other special personal celebrations should be prohibited.

Additionally, although the APM does not specifically prohibit the purchase of alcoholic beverages using the procurement credit card, the FDICís travel policies provide guidelines concerning reimbursable employee expenses. Those guidelines prohibit the reimbursement of employees for purchases of alcoholic beverages. In addition, FDICís Circular 2500.3, FDIC-Sponsored Government Travel Card Program, states that the travel card is to be used only for official travel-related services. Because the purchase of alcohol is not an allowable travel reimbursement, the travel card should not be used for these types of purchases. Further, the FDICís travel card has a block on purchases made at package stores for items including beer, wine, and liquor. Therefore, in our opinion, permitting the purchase of alcoholic beverages using the procurement card is inconsistent with travel card policies, could adversely impact the publicís perception of the Corporation and its employees, and could pose related liability issues to the Corporation.

Finally, the approving official for the cardholder who purchased the meals totaling $2,238 was the cardholderís subordinate. It is not a good business practice to have the approving official as a subordinate to the cardholder because the cardholder can exercise influence over the approving official. The current APM is silent on this issue. Modifying the manual to preclude an approving official being subordinate to the cardholder can help deter misuse of procurement credit cards.

Recommendations

We recommend that the Director, DOA, use the FDICís Acquisition Policy Manual, Chapter 9, to:

  1. Define extravagant meals and refreshments and what constitutes an allowable and unallowable expense for meal purchases using the procurement credit card.

  2. Prohibit the purchase of alcoholic beverages using the procurement credit card.

  3. Require approving officials not be subordinates to the cardholders for whom they approve purchases.

CANCELLATION OF PROCUREMENT CREDIT CARDS

The FDIC did not cancel procurement cards timely for employees departing FDIC employment. Specifically, the procurement card was not canceled timely for six of eight former employees in the sample we reviewed. The FDIC canceled the cards from 3 to 104 days after the employee was no longer employed by the Corporation. This occurred because the FDIC did not follow the guidelines in its APM and the FDIC lacked adequate pre-departure clearance procedures for employees departing FDIC employment. Untimely cancellation increases the risk that former employees or others who may have access to the account number may make unauthorized purchases.

The APM Section 9.E.6.e, Procurement Credit Card Program ĖResignation or Reassignment of Cardholder or Approval Official, requires that when a cardholder leaves the FDIC or moves to another FDIC location, the APC, or his/her designee, must be immediately notified. Before a cardholderís departure from his/her office, the AO must ensure that the credit card is retrieved from the cardholder and destroyed. The APC, or his/her designee, should notify the Bank of America, and the account will be closed.

Because the FDIC has reorganized and reduced staffing levels corporate-wide, many individuals have left or will be leaving the Corporation. Improvements are needed to cancel procurement credit cards when individuals leave either permanently or to relocate. One additional means of strengthening controls is to revise Circular 2150.1, Pre-Exit Clearance Procedures for FDIC Employees, specifically the Pre-Exit Clearance Record for Employees. During the period of our review, the circular did not incorporate the requirement in APM 9.E.6.e regarding retrieval of the credit card from relocating or departing employees. Subsequent to our review, the FDIC revised the circular to include the procurement credit card as an item for collection, and the circular now describes specific actions that need to be taken for departing employees holding the procurement credit cards. During the course of our review, we discussed this matter with DOA and issued a memorandum to advise the Director, DOA, of the weakness in the procurement credit card cancellation process.

On July 3, 2002, DOA issued a notice to all credit card approving officials and administrative officers to highlight the corporate policies pertaining to exiting and relocating employees. The notice also stated that due to the FDICís ongoing reorganization and number of people leaving the Corporation under the buyout program, approving officials were requested to provide a list of all procurement cardholders currently under their authority. Further, the notice communicated the new procedures contained in Circular 2150.1, Pre-Exit Clearance Procedures for FDIC Employees. DOA issued the Circular in final on September 17, 2002. The revised circular includes the following added control activities:

  • The procurement credit card and corresponding convenience checks are listed on the Pre-Exit Clearance Record for Employees form as items that need to be returned to the FDIC.

  • Administrative officers are required to obtain the employeeís FDIC procurement credit card; any remaining convenience checks; and cardholder file, including receipts for outstanding charges, before the last day of official duty. The administrative officer must also notify the APC of the cardholderís effective date of departure, destroy and dispose of the cardholderís procurement card and convenience checks upon receipt of cancellation information from the APC, and return the cardholder file to the APC with any outstanding receipts.

Implementation of the control activities mentioned above will reduce the risk of improper procurement credit card usage by former employees. However, canceling a cardholderís card and convenience checks in a more timely manner, specifically, as soon as employees provide notice that they will leave FDIC employment or in cases where they relocate and will no longer be in positions requiring use of the card, will further strengthen internal control. This measure should help reduce the risk of any unauthorized purchases by the cardholder between the time that notice is provided to the FDIC and the actual departure or transfer date and ensure that the procurement credit card is canceled prior to the employeeís actual departure or transfer.

Recommendation

We recommend that the Director, DOA:

  1. Enforce APM Section 9.E.6.e by reminding cardholders/approving officials of the requirement to immediately notify the APC, or his/her designee when the cardholder/approving official either leaves the FDIC or moves to another FDIC position so that the APC can notify the Bank of America to cancel the card.

ISSUING PROCUREMENT CARDS AND REDUCING PROCUREMENT THRESHOLDS

Many FDIC procurement cardholders were only using the card for a limited amount of activity. In addition, procurement cardholders had spending limits that exceeded their normal purchase activity. For instance, 79 cardholders used the card five times or fewer during a 2-year period. One of those cardholders had a single purchase limit of $250,000 and another had a limit of $100,000. The highest dollar amount that these individuals spent during a 2-year period was $98,490 and $1,833, respectively. The FDIC had not reviewed cardholder purchase records to assess cardholder inactivity and excessive spending limits. The GAOís Internal Control Management and Evaluation Tool suggests that the risk of unauthorized use be controlled by restricting access. Excessive access to procurement credit card privileges increases the risk of unauthorized usage. Limiting access to credit card privileges is an essential internal control activity.

The Director of the Office of Management and Budget (OMB) recognized the importance of internal control in the federal governmentís credit card program and issued OMB Memorandum M-02-05, dated April 18, 2002, suggesting that agencies prepare remedial action plans for their programs. Specifically the memorandum states "Your plans should also include an examination of the number of cards issued at your agency. One step that may prove useful would be to deactivate all current cards and reactivate them selectively for a smaller number of cardholders, based on demonstrated necessity." By examining the number of cards issued and the related thresholds, the FDIC may be able to preclude unnecessary access to credit card privileges and reduce the risk of unauthorized card usage.

Recommendations

We recommend that the Director, DOA:

  1. Perform an analysis on a regular basis to determine whether cardholders are using the card. If a cardholder is not using the card on a fairly regular basis, consider canceling the card privileges.

  2. Review the spending limits for all cardholders and ensure that the limits reflect the extent of spending that they are likely to incur.

MANAGEMENT ASSESSMENT OF PROGRAM RISK

Management can enhance its assessment of procurement card program risk by conducting a risk assessment. Notwithstanding establishment of an overall control environment, including policies and procedures to address the risk of improper use of the card, the Corporation has not conducted a formal risk analysis that may have identified specific types of vulnerabilities and steps to address them. DOA does engage in periodic Administrative Compliance Reviews (ACR) of procurement credit card use. These reviews examine the appropriateness of procurement credit card use and support for purchases made after the fact. However, without first devising a thorough plan for risk management over the entire procurement card program, these reviews may be a less effective control than they could be. For example, a risk assessment could identify vulnerabilities that are not presently tested using the ACRs. Additionally, lack of an overall risk assessment may have limited DOA from establishing all other necessary control activities. This absence of risk identification may make the Corporationís procurement credit card program vulnerable to increased misuse.

According to GAOís Standards for Internal Control, a risk assessment is an integral component of the entityís internal control system. GAO states that management has to formulate an approach for risk management and decide upon the internal control activities required to mitigate those risks and achieve the internal control objectives of efficient and effective operations. Review of both internal and external risks involved in a program facilitates the design of effective internal control activities.

Such an assessment of the FDIC procurement credit card program could have helped identify a need for increased emphasis on compliance and training, better clarity of policies, appropriateness of purchase thresholds, more timely cancellation of cards, and other means of communicating information on the proper use of the card. Absent full awareness of the risks, management controls were not as effective as they could have been and the program as a whole was more vulnerable.

Recommendation

We recommend that the Director, DOA:

  1. Conduct a risk assessment of the procurement card program and establish the necessary control activities to mitigate the risks identified.

CORPORATION COMMENTS AND OIG EVALUATION

On January 24, 2003, the DOA Director provided a written response to the draft report. The response is presented in Appendix II to this report. In its written response, DOA management concurred with recommendations 1, 4, 5, 6, 7, and 8. These recommendations are considered resolved but will remain undispositioned and open until we have determined that agreed-to corrective actions have been completed and are effective. DOA management did not concur with recommendations 2 and 3, suggest acceptable alternative actions, or provide information that would convince us to revise either of the two recommendations. Because these two recommendations remain unresolved, undispositioned, and open, we are requesting DOA to reconsider its response to our report and provide us additional comments. DOAís responses to the recommendations are summarized below along with our evaluation of the responses.

Recommendation 1: Provide periodic training to procurement cardholders and approving officials in order to reiterate the policies and procedures governing the procurement credit card program. The policies over roles and responsibilities; security over the card; procurement thresholds; permissible, prohibited, and restricted use; supporting documentation requirements; repeated acquisitions from the same vendor (split purchases); refreshment/meal requirements; payment of sales taxes; and procedures for card usage should be reinforced.

DOA concurs with this recommendation. Subsequent to the end of our fieldwork in September 2002, DOA completed an online procurement credit card training module in December 2002 which will be available to program participants by the end of January 2003. The programís training policy is also being revised and will require all new cardholder applicants to take the course and receive a passing score prior to receiving the procurement credit card. Completion of the training module will be recorded in the FDIC training server, and the APC will have access to the training server to monitor cardholdersí completion of the required training module. Existing cardholders will also be required to take periodic training to refresh cardholders on their roles and responsibilities under the program.

In our view, the efforts made to date by DOA to have an online training program available to all procurement cardholders will improve the overall effectiveness of the program. Tracking the completion of the training for cardholders by the APC will also improve controls. In addition, to clarify a statement made in DOAís response, the OIG reviewed 30 cardholders from a population of 132 cardholders who engaged in at least $1,000 of purchases during the last quarter of 2001. In total, there were 780 credit card transactions for the 30 cardholders for this period. DOA stated in its response that there were 6,188 credit card transactions; however, this total reflects transactions during calendar years 2000 and 2001. The difference in the number of transactions used by DOA, 6,188 versus 780 in the OIG sample, increases the error rate from 1 percent as computed by DOA to approximately 9 percent.

This recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective action has been completed and is effective.

Recommendation 2: Define extravagant meals and refreshments and what constitutes an allowable and unallowable expense for meal purchases using the procurement credit card.

DOA does not concur with this recommendation. DOA stated that the focus should not be on creating a definition for extravagant, but should instead be directed on the adequacy of the internal controls that govern approval. DOA does not consider that the examples cited by the OIG meet the intent of the definition of extravagant. DOA believes that the APM sufficiently addresses the purchase of meals and refreshments in a manner that minimizes potential risks to the Corporation. Specifically, the purchase of all refreshments and meals must be approved in advance and in writing at the Assistant Director-level or above in headquarters or the Regional Director/Regional Manager in the field. The current practice elevates the approval process to an executive level manager who has the ability to use discretion as circumstances warrant. DOA believes this high level of advanced written approval serves as an adequate internal control as it pertains to the use of the procurement card for refreshments. Further, DOA stated that for each of the exceptions noted in the OIG report, proper approval was obtained.

The pre-approval process alone will not result in consistent application of approved expenses throughout the Corporation if the Corporation does not further define in the APM extravagant meals and refreshments and what constitutes an allowable and unallowable expense for meal purchases. As cited in our examples, and from DOAís response, individuals have different definitions of extravagance and different opinions on the allowability of meal purchases. For example, the OIG considers that spending $132 per person for a meal and drinks is extravagant. Also, the Corporation should not be paying for the going away lunch for employees leaving the FDIC. This type of expense should be paid by the attendees of the farewell lunch. By defining both extravagant and what constitutes an allowable and unallowable expense for meal purchases, the FDIC can better control costs charged to procurement cards. Further, the OIG did not see evidence that prior written approval was obtained for the three exceptions noted in the report.

Because this recommendation is unresolved, undispositioned, and open, we have requested DOA to reconsider its response to our report and provide us additional comments.

Recommendation 3: Prohibit the purchase of alcoholic beverages using the procurement credit card.

DOA does not concur with this recommendation. DOA stated as with recommendation 2, above, that appropriate controls are in place and alcohol may only be purchased using the procurement credit card under these circumstances and controls. The current practice elevates the approval process to an executive level manager who has the ability to use discretion as circumstances warrant. Other than this approval process, alcohol may not be purchased using the procurement credit card.

The OIGís position is that the APM, Chapter 9, should prohibit the purchase of alcoholic beverages using the procurement credit card. Permitting the purchase of alcoholic beverages is inconsistent with travel card policies, could adversely impact the publicís perception of the Corporation and its employees, and could pose related liability issues to the Corporation. Also, because individuals have different viewpoints on the use of alcohol, policy prohibiting the purchase of alcohol using the procurement credit card would provide consistency throughout the Corporation.

Because this recommendation is unresolved, undispositioned, and open, we have requested DOA to reconsider its response to our report and provide us additional comments.

Recommendation 4: Require approving officials not be subordinates to the cardholders for whom they approve purchases.

DOA concurs with this recommendation. DOA agrees that an approving official should not be a subordinate to a cardholder for whom they approve purchases. To address this issue, by the first quarter of 2003, DOA will incorporate language into procurement credit card policy that clearly articulates the requirements of the approving official/cardholder relationship before issuance of a procurement credit card.

This recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective action has been completed and is effective.

Recommendation 5: Enforce APM Section 9.E.6.e by reminding cardholders/approving officials of the requirement to immediately notify the APC, or his/her designee when the cardholder/approving official either leaves the FDIC or moves to another FDIC position so that the APC can notify the Bank of America to cancel the card.

DOA concurs with this recommendation. DOA recently issued interim guidance to the Corporation that addressed cancellation of the procurement credit card during the pre-exit clearance process. In addition, subsequent to issuing this interim guidance, the Pre-Exit Clearance Circular was updated with the revised requirements. This also included updating the Pre-Exit Clearance Form to require the administrative officer to collect the credit card and sign the form to acknowledge that the action was completed. DOA also stated that it will issue periodic reminders to the cardholders, approving officials, and administrative officers of the requirement to immediately notify the APC, or his/her designee when the cardholder/approving official either leaves the FDIC or moves to another FDIC position so that the APC can notify the contractor to cancel the account. The actions taken by DOA and future reminders to appropriate staff will improve the internal controls over the cancellation of procurement credit cards.

This recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective action has been completed and is effective.

Recommendation 6: Perform an analysis on a regular basis to determine whether cardholders are using the card. If a cardholder is not using the card on a fairly regular basis, consider canceling the card privileges.

DOA concurs with this recommendation. DOA stated that usage reports for both the credit cards and convenience checks are obtained from the contractor on a quarterly basis. Analysis of cardholder usage was conducted, and the results were shared with the approving officials to determine whether credit cards should be cancelled for certain cardholders. The APC analyzed the responses and decided to expand the survey period to obtain a broader perspective on cardholder usage. DOA is in the process of analyzing the procurement credit card usage for 2002.

This recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective action has been completed and is effective.

Recommendation 7: Review the spending limits for all cardholders and ensure that the limits reflect the extent of spending that they are likely to incur.

DOA concurs with this recommendation. DOA stated that the APC has incorporated a process to analyze the spending limits for cardholders on a quarterly basis to determine whether the spending thresholds or limits are appropriate. This evaluation is conducted in conjunction with the APCís analysis of cardholder usage. DOA is analyzing the spending limits for all cardholders for 2002 and expects to complete its analysis by March 31, 2003.

This recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective action has been completed and is effective.

Recommendation 8: Conduct a risk assessment of the procurement card program and establish the necessary control activities to mitigate the risks identified.

DOA concurs with this recommendation. DOA stated that it will establish the procurement card program as an accountability unit and test the controls for those identified risks under the Chief Financial Officers Act. It will establish the accountability unit by March 31, 2003 and testing will take place as dictated in the Corporationís annual Management Control Plan.

The recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective action has been completed and is effective.

A summary chart showing managementís responses to all recommendations is presented in Appendix III.


APPENDIX I

SCOPE AND METHODOLOGY

To accomplish our objective, we:

  • Interviewed DOA personnel responsible for monitoring the FDICís procurement credit card program and personnel from various FDIC divisions and offices responsible for making and approving credit card purchases.
  • Reviewed policies and procedures, including the FDIC Acquisition Policy Manual, Section 9.E., entitled FDIC Procurement Credit Card Program.
  • Reviewed the Presidentís Council on Integrity and Efficiency (PCIE) and Executive Council on Integrity and Efficiency (ECIE) guide to conducting a review of an agencyís government purchase card program.
  • Reviewed the U.S. General Accounting Officeís (GAO) Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, issued November 1999) and GAOís Internal Control Management and Evaluation Tool (GAO-01-1008G, issued August 2001).
  • Obtained and relied upon data from the Bank of America that contained all purchases made by FDIC cardholders for the period of review, and conducted random attribute testing and data mining. We examined all cardholder activity during the 2-year period ending December 31, 2001 to identify trends and indicators of improper purchases, such as purchases from establishments that sell alcoholic beverages. From the unusual purchases identified, we reviewed 32 in detail. In addition, we used data mining to identify any outstanding procurement credit cards issued to former employees as of December 15, 2001.

For our random attribute sample, we selected 30 cardholders from a population of 132 cardholders who had engaged in at least $1,000 of purchases during the last quarter of 2001. This approach enabled us to select cardholders who had actually used the procurement credit card. In addition, in order to facilitate testing the adequacy of control activities nation-wide, the cardholders were selected from the FDICís Washington, Atlanta, Dallas, and Chicago regional offices.

We conducted the audit from February 2002 through September 2002 in accordance with generally accepted government auditing standards.


APPENDIX II

CORPORATION COMMENTS

FDIC Federal Deposit Insurance Corporation
Federal Deposit Insurance Corporation

550 17th Sreet, NW, Washington, DC 20429
Division of Administration

January 24, 2003

MEMORANDUM TO: Sharon M. Smith, Deputy Assistant Inspector General for Audits

FROM: Arleas Upton Kea [Electronically produced version; original signed by Arleas Upton Kea], Director, Division of Administration

SUBJECT: Management Response to the OIG Report: FDIC Procurement Credit Card Program

The Division of Administration (DOA) has completed its review of the subject Office of Inspector General (OIG) report. We appreciate the review performed by the OIG and its recommendations to enhance and improve the overall Procurement Credit Card Program. In the OIG report there are eight recommendations addressed to the FDICís Division of Administration (DOA). We have evaluated each recommendation, and have provided a detailed response to include planned corrective actions and expected completion dates as appropriate.

Management Decision:

Recommendation 1: We recommend that the Director, DOA, provide periodic training to procurement cardholders and approving officials in order to reiterate the policies and procedures governing the procurement credit card program. The policies over roles and responsibilities; security over the card; procurement thresholds; permissible, prohibited, and restricted use; supporting documentation requirements; repeated acquisitions from the same vendor (split purchases); refreshment/meal requirements; payment of sales taxes; and procedures for card usage should be reinforced.

Management Response 1: DOA appreciates the recommendation made by the OIG, and fully agrees that periodic training is important. As communicated to the OIG auditors during the review, the DOA Acquisition Services Branch (ASB), as the Agency Program Coordinator (APC) for the Procurement Credit Card Program, has made training an integral component of the program in order to fully educate the universe of corporate users. In the initial training efforts to roll-out the Procurement Card Program, DOA developed presentation materials and conducted periodic briefings to the corporate participants within the various FDIC divisions and offices to indoctrinate them to the requirements and guidelines that encompass the program. Attendance to these briefings was mandatory to all procurement card holders and approving officials.

Moreover, further confirmation of our commitment to ensure corporate awareness of the program was our development effort of the online Procurement Credit Card training module that we initiated and set in motion prior to the commencement of the OIG audit. The training module was completed in December 2002 and will be rolled out to program participants by the end of January 2003. The Programís training policy is also being revised and will require all new cardholder applicants to take the course and receive a passing score prior to receiving the procurement credit card. Completion of the training module will be recorded in the FDIC Training Server, and the APC will have access to the training server to monitor cardholderís completion of the required training module. Existing cardholders will also be required to take periodic training to refresh cardholders of their roles and responsibilities under the program.

Given the efforts made to date by the DOA APC, we believe management of the overall program has been effective. In addition to training that we have provided to existing cardholders, DOA has established a website dedicated to the program that readily provides all pertinent information on the program, to include policies and procedures. Additionally comprehensive oversight of the program is built into a three tiered approach to mitigate program risks. These include credit card transaction approval by the Approving Official, proactive oversight by the APC, and a comprehensive internal review program that continually evaluates and monitors the overall corporate-wide program. As an issue is identified, APC takes immediate action to address the cause for the given condition. Actions may include working with the Approving Official to address non-compliance issues, global email reminders, and/or program policy changes.

As shown in the OIG report, the number of non-compliance exceptions found (73) represent approximately one percent of the total credit card transactions (6,188) reviewed by the OIG during its audit. (Note: Information obtained from the OIG working papers. Total Credit Card Transactions of 6,188 was compiled by the APC from the information obtained from the Bank of America for purchases made during the calendar years 2000 and 2001. The scope was based on the narrative contained in the Scope and Methodology section of the OIG draft report.) We believe that the low number of non-compliance instances cited by the OIG is a direct result of the proactive oversight and previous training that DOA provided. DOA believes that an error rate of one percent is evident that the risks associated with the program are being mitigated by the existing internal controls that the APC has established and implemented in managing the program.

Recommendation 2: We recommend that the Director, DOA, use the FDICís Acquisition Policy Manual, Chapter 9, to define extravagant meals and refreshments and what constitutes an allowable and unallowable expense for meal purchases using the procurement credit card.

Management Response 2: DOA does not agree with the recommendation that "Extravagant Meal and Refreshments" be defined in the FDICís Acquisition Policy Manual. The focus should not be on creating a definition for "extravagant," but should instead be directed on the adequacy of the internal controls that govern its approval. Extravagant, as defined, means "given to imprudent or lavish spending or exceeding reasonable limits," DOA does not believe that the examples cited by the OIG meet the intent of the definition, which we believe is self-explanatory. For each of the exceptions noted in the OIG report, proper approval was obtained.

We believe that the APM sufficiently addresses the purchase of meals and refreshments in a manner that minimizes potential risks to the Corporation. Specifically, the purchase of all refreshments and meals must be approved in advance and in writing at the Assistant Director-level or above in Headquarters or the Regional Director/Regional Manager in the Field. The current practice elevates the approval process to an executive level manager who has the ability to use their discretion as circumstances warrant. We believe this high-level of advanced written approval serves as an adequate internal control as it pertains to the use of the procurement card for refreshments and meals.

Recommendation 3: We recommend that the Director, DOA, use the FDICís Acquisition Policy Manual, Chapter 9, to prohibit the purchase of alcoholic beverages using the procurement credit card.

Management Response 3: DOA does not agree with the recommendation to prohibit the purchase of alcoholic beverages using the procurement credit card. As with Response 2, above, appropriate controls are in place and alcohol may only be purchased using the procurement credit card under these circumstances and controls. The current practice elevates the approval process to an executive level manager who has the ability to use their discretion as circumstances warrant. Other than this approval process, alcohol may not be purchased using the procurement credit card.

Recommendation 4: We recommend that the Director, DOA, use the FDICís Acquisition Policy Manual, Chapter 9, to require approving officials not be subordinates to the cardholders for whom they approve purchases.

Management Response 4: DOA fully agrees with the recommendation that approving officials should not be a subordinate to a cardholder for whom they approve purchases. Although not specifically stated in the APM, this practice has always been in place and enforced by the Agency Program Coordinator (APC). As discussed with the OIG audit team, the APC was fully aware of the occurrence noted in the report where a subordinate employee served as the approving official to senior level employees who were cardholders. This cardholder/approving official relationship was established by a Regional Director. When the APC recognized the atypical arrangement, the APC notified the appropriate parties within the Division. It was determined that no specific action was to be taken until completion of the division-wide reorganization. After the reorganization, APC took appropriate action.

To address this program issue globally, DOA will incorporate language into procurement credit card policy that clearly articulates the requirements of the approving official / cardholder relationship before issuance of a procurement credit card. Specifically, the APM will prohibit subordinate employees from being an approving official to a supervisor. DOA will incorporate the requirement into policy by the end of the first quarter 2003.

Additionally, DOA is in the process of establishing a Letter of Appointment that will be issued to all Approving Officials detailing their specific roles and responsibilities. This is in addition to the Delegation Memos that are currently issued to all procurement credit card holders.

Recommendation 5: We recommend that the Director, DOA, enforce APM Section 9.E.6.e by reminding cardholders/approving officials of the requirement to immediately notify the APC, or his/her designee when the cardholder/approving official either leaves the FDIC or moves to another FDIC position so that the APC can notify the Bank of America to cancel the card.

Management Response 5: DOA appreciates the recommendation made by the OIG, and agrees that immediate cancellation of the procurement credit card should be made as cardholders separate from the Corporation or are reassigned within the FDIC. This practice has always been an important component of the procurement card program, and we believe the requirement is clearly communicated in Chapter 9 of the APM. In addition, the APC has directed communiquť to administrative officers that emphasize the importance that timely notification is made to the APC in order to cancel the procurement card immediately. To enforce and effectively monitor this area, the APC incorporated a process in 2000 to obtain, on a routine basis, employee separation and reassignment information from the DOA Personnel Services Branch. The APC staffs review the information to determine if any of the employees listed are cardholders and determine whether their procurement card was cancelled appropriately.

Further efforts by the APC to deal with timely cancellation of credit cards was made in August 2002 whereby the APC issued interim guidance to the Corporation that addressed cancellation of the procurement credit card during the pre-exit clearance process. Subsequent to this interim guidance, the Pre-Exit Clearance Circular was updated with the revised requirements. This also included updating the Pre-Exit Clearance Form to require the Administrative Officer to collect the credit card and sign the form to acknowledge that the action was completed.

The internal controls that we have established over the program are effective; however, as with all important aspects of the program, we will issue periodic reminders to the cardholders, approving officials, and administrative officers of the requirement to immediately notify the APC, or his/her designee when the cardholder/approving official either leaves the FDIC or moves to another FDIC position so that the APC can notify the contractor to cancel the account. DOA expects to issue its first reminder for the New Year by January 31, 2003.

Recommendation 6: We recommend that the Director, DOA, perform an analysis on a regular basis to determine whether cardholders are using the card. If a cardholder is not using a card on a fairly regular basis, consider canceling the card privileges.

Management Response 6: DOA concurs with the recommendation. The APC has incorporated cardholder usage analysis as the program has evolved and grown over the last six years. The analysis was part of the evaluative process as major program changes and enhancements were made. In 2000, APC expanded its oversight program and began routine analysis of cardholder usage. Usage reports for both the credit cards and convenience checks are obtained from the contractor on a quarterly basis. Analysis of the cardholder usage was conducted, and the results were shared with the Approving Officials to determine whether credit cards should be cancelled for certain card holders. The APC analyzed the responses and determined to expand the survey period to obtain a broader perspective on cardholder usage. DOA is in the process of analyzing the procurement credit card usage for 2002. Expected completion will be March 31, 2003.

Recommendation 7: We recommend that the Director, DOA, review the spending limits for all cardholders and ensure that the limits reflect the extent of spending that they are likely to see.

Management Response 7: DOA concurs with the recommendation. The APC has incorporated a process to analyze the spending limits for cardholders on a quarterly basis to determine whether the spending thresholds or limits are appropriate. This evaluation is conducted in conjunction with APCís analysis of cardholder usage, as discussed in Management Response 6. DOA is in the process of analyzing the spending limits for all cardholders for 2002. Expected completion for this initial analysis will be March 31, 2003.

Recommendation 8: We recommend that the Director, DOA, conduct a risk assessment of the procurement card program and establish the necessary control activities to mitigate the risks identified.

Management Response 8: DOA concurs with this recommendation. It is important to note that extensive internal controls have been incorporated into the procurement card program and that oversight of the program includes routine risk assessment. However, due to the high-level of attention and interest given to the credit card programs throughout the federal government, DOA will establish its program as an Accountability Unit and test the controls for those identified risks under the Chief Financial Officers Act (CFOA). The Accountability Unit will be established by March 31, 2003, and testing will take place as dictated in the annual Management Control Plan submitted to the Office of Internal Control Management.

If you have any questions regarding the response, our point of contact for this matter is Andrew Nickle, Audit Liaison for the Division of Administration. Mr. Nickle can be reached at (202) 942-3190.

cc: Dave McDermott
Vijay Deshpande


APPENDIX III

MANAGEMENT RESPONSES TO RECOMMENDATIONS

This presents the management responses that have been made on recommendations in our report and the status of recommendations as of the date of report issuance. The information in this table is based on managementís written response to our report.

Note: The following information applies to the Management Responses to Recommendations below.

Resolved: (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation. (2) Management does not concur with the recommendation but planned alternative action is acceptable to the OIG. (3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

Dispositioned: The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation. Once the OIG dispositions the recommendation, it can then be closed.

Recommendation Number 1

Corrective Action: Taken or Planned/Status: DOA concurs with the recommendation and completed an online procurement credit card training module in December 2002 which will be available to program participants by the end of January 2003. In addition, existing cardholders will also be required to take periodic training to refresh cardholders on their roles and responsibilities under the program.

Expected Completion Date: January 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Recommendation Number 2

Corrective Action: Taken or Planned/Status: DOA does not agree with this recommendation and stated that the focus should not be on creating a definition for extravagant, but should instead be directed on the adequacy of the internal controls that govern approval. OIG requests that DOA reconsider its response to our report and provide us additional comments.

Expected Completion Date: (There is no date provided in the report.)

Monetary Benefits: N/A

Resolved -- Yes or No: No

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Recommendation Number 3

Corrective Action: Taken or Planned/Status: DOA does not agree with this recommendation and stated as with recommendation 2, above, that appropriate controls are in place and alcohol may only be purchased using the procurement credit card under these circumstances and controls. OIG requests that DOA reconsider its response to our report and provide us additional comments.

Expected Completion Date: (There is no date provided in the report.)

Monetary Benefits: N/A

Resolved -- Yes or No: No

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Recommendation Number 4

Corrective Action: Taken or Planned/Status: DOA concurs with the recommendation and will incorporate language into procurement credit card policy that clearly articulates the requirements of the approving official/cardholder relationship before issuance of a procurement credit card.

Expected Completion Date: March 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Recommendation Number 5

Corrective Action: Taken or Planned/Status: DOA concurs with the recommendation and has revised the Pre-Exit Clearance Circular. In addition, DOA will issue periodic reminders to the cardholders, approving officials, and administrative officers of the requirement to immediately notify the APC, or his/her designee when the cardholder/approving official either leaves the FDIC or moves to another FDIC position so that the APC can notify the contractor to cancel the account.

Expected Completion Date: January 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Recommendation Number 6

Corrective Action: Taken or Planned/Status: DOA concurs with the recommendation and is in the process of analyzing the procurement credit card usage for 2002.

Expected Completion Date: March 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Recommendation Number 7

Corrective Action: Taken or Planned/Status: DOA concurs with the recommendation and has incorporated a process to analyze the spending limits for cardholders on a quarterly basis to determine whether the spending thresholds or limits are appropriate.

Expected Completion Date: March 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Recommendation Number 8

Corrective Action: Taken or Planned/Status: DOA concurred with the recommendation and will establish its program as an Accountability Unit and test controls for those identified risks under the Chief Financial Officers Act.

Expected Completion Date: March 31, 2003

Monetary Benefits: N/A

Resolved -- Yes or No: Yes

Dispositioned -- Yes or No: No

Recommendation Open or Closed: Open

Last Updated 05/05/2003